I suspect that the CIS 3.8 User Guide is inaccurate in its description of Clean PC Mode for the following paragraph: Comodo Internet Security calculates the hash an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the Comodo safe list. If the hash matches the one on record for the executable, then the application is safe. If no matching hash is found on the safelist, then the executable is ‘unrecognized’ and you will receive an alert.
The User Guide doesn’t describe any difference between Clean PC Mode and Safe Mode with regard to Image Execution Control, but we know that isn’t true!
For Clean PC Mode, I suspect that it should be reworded as follows: When the Defense+ mode is changed to Clean PC Mode (including on installation), Comodo Internet Security calculates the hash on all executables currently on disk and stores them in a local database. Comodo Internet Security calculates the hash of an executable at the point it attempts to load into memory. It then compares this hash with the list of known/recognized applications that are on the local database. If the hash matches the one on record for the executable, then the application is allowed. If no matching hash is found on the local database, then the executable is ‘unrecognized’ and you will receive an alert.
Since I don’t have CIS 3.8 installed, I am not sure if my theory is correct. I would greatly appreciate it if someone could do an experiment using CIS 3.8 or 3.9 RC1 to see if the User Guide is exactly correct or not. Using Clean PC Mode, on the admin account, download and run a new executable that is in Comodo’s safelist, and download and run a new executable that is NOT in Comodo’s safelist. Report whether each test results in an Image Execution Control alert.
I don’t think it works this way in clean PC mode. I clean PC mode defence+ just monitors modifications and puts modified files into “my pending files” so there is no clean PC database to compare with. It still uses the safe applications database and if the new/modified exe still matches a safe application or is digitally signed then it does not go to “my pending files”. See also: https://forums.comodo.com/help_for_v3/does_cpf_30_do_md5sha-t17679.0.html
In clean PC mode explorer has to be able to run any safe program or you will get loads of pop-ups. Any signed or safe program will not be blocked even if freshly downloaded. This is safe as it must be signed or match the checksum in safe list. A file sharing program might be safe. I might even install in a limited user account. Not everyone might want their children running such a program.
Since Clean PC Mode avoids pop-ups for programs already installed, I don’t understand why it would be necessary for Clean PC Mode to also allow safe programs. Please explain.
Since you have much more experience than me with Clean PC Mode, you are more likely right about how it works. But if the issue is important enough to you, it may be worth doing the experiment I suggested in case it helps educate us all.
You offer a compelling issue with what Comodo considers safe versus what is safe for a child. Comodo only offers you the option of Paranoid Mode, which would make most of us abandon Defense+. Maybe we could propose to Comodo that Clean PC Mode works the way I thought it does, as that would potentially solve your problem. My experience as an engineer is that my ideas are more easily accepted if I provide a compelling problem and a specific solution.
I mean already installed, which are considered safe in clean PC mode.
The experiment would not work. Any file in my pending files gives a pop-up when run. Applications in the safe list cannot be added to “my pending files”. Any program not in my pending files runs without a pop-up, even programs I have written myself which cannot be on the safe list.
Can you explain this rules.
a. I believe it is related to Defence +?
b. Create a new program group called safe applications containing c:\windows* and C:\program files*: Is it through ‘my protected files’ > ‘group’?
c. Explorer runs safe files and not any files. My default setting in access right is: default action for folers/files = ask, Allow files/folder *.exe, *.dll, *.sys - how do I change this - delete the 3 extensions and add the 2 c:\pathes?
In Defence+, “computer security policy” select what you want to restrict e.g. explorer.exe (take care not to restrict explorer too much or you will lock up everything) and in process access rights under "run an executable) take out *.exe from allowed applications and add in its place the safe applications group.
The intention is to only allow programs to be run from locations where the limited user cannot write to so they cannor download a virus and run it. There are lots of ways of doing this but you need to understand how defence+ works.
I have just installed the latest Microsoft update patches and had a pop-up. Unfortunately my alt-printscreen did not work and I cannot remember what it was for. However, it shows it is not safe to install updates with parental control on.
IMPORTANT NOTES:
**Due to the fact that this configuration [b]suppresses and blocks all alerts[/b], certain [b]software updates may be unable to run in this mode[/b], unless the vendor of the application/updater is in [b]COMODO's 'My Trusted Software Vendors'[/b] list located in the Defense+ tab of CIS. A good idea is to create a [b]preset configuration[/b] (called ''Updater Configuration" for example), and configure it to allow all of your updaters to install smoothly. This way, when switching to this configuration, you can perform maintenance on your PC, and afterward, switch it back to the parental configuration (which suppresses all alerts) so no one else can make changes. This method would prove [i]very[/i] useful for tasks such as Microsoft Windows service pack updates, to ensure a proper installation is performed.
MS updates should work if MS is on the Trusted Vendor List, but it would be of great help to know what the alert said. Maybe next time there is updates?
MS update may write on Protected Directories, such as "%windir%\system32 and "%windir%\SoftwareDistribution. Alerts will be pop-up even for safe or Trusted Vendor signed files.
Installed this months Microsoft updates and again got one pop-up:
mrtstub.exe is a safe program. It is about to create a new file folder c:\9c8364a94385c3875\MRT.exe.
Curiously I only got this on one PC which was set to standard proactive and then clean PC mode selected. My main PC had safe mode temporarily selected for the updates and did not give this pop-up but I think it is the same pop-up I got on my main PC last month.
Vista SP2 32bit with UAC on.
My experience is that trusted programs are allowed to write to existing exe files but not create new ones which is the case here. I have no rules for mrtstub.exe in computer security policy.
I administer a PC used by an inexperienced family member who clicks allow on every alert, after experiencing Defense+ Paranoid Mode that took months to train. I have been using on my PC the full CIS v3.9 in Clean PC Mode for a month. I would like to upgrade the inexperienced user’s PC to CIS v3.9, following the suggested strategy from Configuring CIS for Maximum Security with ZERO Alerts. However, the following are issues that prevent me:
I would just love a batch file which set CIS for maximum security with very few pop-ups - as discussed here!
An eSet user- “Blackspear” - created a super one for NOD32, which just worked!
Any thoughts?
I know you are trying to be helpful, so please excuse my frustration…
If I install a new application under a different configuration, then the inexperienced-user configuration does not get the Defense+ and Firewall rules and My Safe Files inclusion that allow it to operate. My Firewall rules, especially, are very specific (Custom Policy Mode). I do not know how to copy individual rules from one to the other (other than manually using screen capture). My inexperienced user already uses a Limited User Account and has a Software Restriction Policy in force, so I would like to simply my life with CIS by having just one configuration and only enable/disable Parental Control. I anticipate that I will need to do a fresh install of CIS 3.10 or some other CIS version in the near future, and I don’t want the retraining to be as time-consuming as I would expect with two separate CIS configurations. I can screen-capture the Firewall rules in two screens, but Defense+ rules are highly nested and complex.
CleanPC mode and safelisting app autolearning are basically meant to to prevent possible incompatibilities and automatically create rules (whenever parental control is enabled or not)
Nor the AV will affect websites and safe emails…
Though apparently there is no limit to inexperience, just have those inexperienced users subscribe to these forums themselves, this may actually be going to solve their already anticipated issues.
The rules in the installation configuration do not matter much. Just use safe mode for defence+ and firewall. Your special rules only need to be in your normal configuration. Your inexperienced user should never see the installation configuration. Install your new software, change back to normal configurations and then configure the new software. this works well for me in a similar situation. I find I only have to change mode to install/update software.
This works for me as I use clean PC mode for normal use and everything I do not want to control is auto-learned.
What happened to the original thread: “Configuring CIS for Maximum Security with ZERO Alerts”? I try to click on it and I get a message from the boards saying I don’t have access to it.
yeah, seems the original has gone missing. but here is the good news:
google for
'https://forums.comodo.com/overview_cis/comodo_internet_security_overview-t31059.0.html;prev_next=prev'
and go to the 'cached' page - as it was on 16th July 2009